Senate Committee Considers Options on Data Issues

With several bills that address data security and identity theft already in the congressional mix, the U.S. Senate Committee on Commerce, Science & Transportation considered legislative options yesterday at a hearing on those topics.

Meanwhile, the Federal Deposit Insurance Corp. began notifying about 6,000 current and former employees that their personal data were breached and that the breach had resulted in fraud, according to a report in yesterday's Washington Post.

The newspaper said that letters to employees were dated June 9 and advised the individuals to monitor their credit reports and accounts. The data included names, birth dates, Social Security numbers and salary information on FDIC employees from 2002 forward.

In what the letter characterized as a "small number of cases," the data were used improperly to gain credit union loans.

The Washington Post reported that the letter said the breach happened early last year and was discovered recently but no other details were offered.

Also yesterday, Equifax Canada revealed that apparently hackers had improperly used customer access codes and security passwords to obtain credit files on about 600 Canadians.

Sen. Gordon Smith, R-OR, presided over yesterday's hearing and began by saying that an identity theft and data security bill written by him is forthcoming.

The first panel consisted of testimony by William Sorrell, Vermont attorney general and president of the National Association of Attorneys General, who said that since he had not consulted with all of his colleagues in the association, his comments reflected only his position as attorney general of Vermont.

"The reality is that quite apart from our cash assets our truly valuable assets are not our possessions but our access to credit," he said. "Consumers need government help to protect themselves from identity theft."

Sorrell testified that he encourages a federal security breach notification law but fears state preemption. He viewed the federal law as a floor, not a ceiling, on which states should be allowed to build.

He also commended the California notification law and suggested giving consumers the option to freeze their credit reports.

The second panel included Federal Trade Commission chairman Deborah Platt Majoras and the four FTC commissioners.

Majoras testified on behalf of herself and the commissioners, reiterating her comments from previous congressional hearings by outlining the Fair Credit Reporting Act, Gramm Leach Bliley and Section Five of the FTC Act prohibiting unfair and deceptive trade practices as existing legislation that regulates some data brokering.

She spoke of the need for further legislation regarding data security and identity theft. The commission urged mandatory security measures for all companies that collect and store sensitive personal information on consumers. Majoras said a law similar to the Safeguards Rule under GLB that requires physical, technical and procedural safeguards for financial information might be considered.

The FTC also recommended the consideration of a data breach notification law as well as legislation outlining legitimate and illegitimate collection, use and transfer of Social Security numbers.

Other lawmakers, including Sens. Charles Schumer, D-NY; Bill Nelson, D-FL; and Dianne Feinstein, D-CA, gave opening statements and spoke about the bills that they had previously introduced.

Schumer and Nelson introduced an identity theft prevention bill in April to create an FTC office of identity theft and require data providers to register with the commission. Other provisions would institute safeguards to prevent fraudulent access to data and give consumers access and the option to fix errors.

Their legislation also would mandate notice of third-party data disclosure and notification of breaches. Provisions related to Social Security numbers would prohibit companies from asking for the numbers unless necessary for a transaction; prohibit display of Social Security numbers on employee IDs; ban the sale and purchase of the numbers except for law enforcement, national security and fraud purposes; and grant the attorney general the ability to define exemptions.

Also in April, Feinstein offered a revised version of the Notification of Risk to Personal Data Act that she first introduced Jan. 24. The original bill required mandatory notification when sensitive data are breached. The revision adds provisions to close loopholes that exempt encrypted data and specify the contents of the notices.

Legislation started appearing when high-profile data breaches began coming to light this year. Data provider ChoicePoint notified 35,000 California consumers that their information may have been accessed in late January as required by state law. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the accessed data.

Bank of America confirmed Feb. 25 that some of its computer data tapes containing personal and account information for 1.2 million federal government charge card program customers were lost during shipment to a backup data center.

LexisNexis on March 9 said personal information of 32,000 consumers had been accessed through misappropriation of legitimate customer identifications and passwords from its Seisint database. After an internal investigation, it said April 12 that another 280,000 consumers were at risk.

DSW Shoe Warehouse parent Retail Ventures Inc. said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Ohio Attorney General Jim Petro filed a complaint against DSW Inc. involving the firm's handling of the data breach, seeking to have all affected individuals notified.

CitiFinancial, a consumer lending branch of Citigroup, said June 6 that it has begun notifying 3.9 million of its U.S. branch network customers that computer tapes containing personal information were lost by United Parcel Service on the way to a credit bureau. The data involved current U.S. CitiFinancial branch network customers and information on closed accounts from CitiFinancial Retail Services but included no data from CitiFinancial Auto, CitiFinancial Mortgage or any other Citigroup business, the firm said. Personal information on the tapes included names, Social Security numbers, account numbers and payment histories. The firm also said it would halt its practice of shipping consumer data on tapes, opting to begin sending encrypted data electronically as of July.

Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters

EXTENDED DEADLINE

You have until Wednesday, December 7 to get your entries in. Learn more here.